Do-it-yourself plan to take down Sality botnet outlined on public mailing list

A method that anyone can use to hijack a massive multipurpose botnet called Sality was described in detail on a public mailing list on Tuesday.

Sality is a file-infecting virus that has been around for more than nine years. More than 100,000 computers are infected with the malware and form a large peer-to-peer botnet used for various cybercriminal activities.

The email's author linked to a Python script that can be used to determine the update URLs queried by the botnet and suggested that a Sality removal utility developed by antivirus firm AVG could be hosted on one of them to be downloaded and executed by the infected computers.

Sality updates are usually hosted on compromised websites, so in order to replace them with the removal utility, someone would have to hack into those websites, like the Sality creators did, or persuade their owners to willingly host the tool.

Technically speaking, there is a chance that the plan may work, although the result would be unpredictable because each computer can have software and hardware particularities that come into play when the botnet is instructed to do something, said Vikram Thakur, principal manager at Symantec Security Response.

Furthermore, forcing the botnet clients to download and execute the removal tool is illegal because it involves modifying software on other people's computers without their authorization. "Legally and ethically speaking, the takedown plan is a definite 'no,'" Thakur said.

Therefore, the public availability of these takedown instructions is more likely to help other cybercriminals who wish to hijack the botnet rather than legitimate security researchers interested in disabling it.

Cybercriminals are probably already trying to use the information in the email to their advantage, Thakur said. However, Symantec hasn't seen any changes in the botnet since the takedown plan was posted online.

There's one step required for the plan to work that hasn't been fully revealed by the email's author: In order for the botnet clients to actually download and execute updates, the files need to be encrypted in a certain way.

"I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out," the anonymous poster said.

However, he promised to release more details about Sality if and when the botnet is shut down. "It is unfortunate that I am unable to do so now due to these legal issues, but, as I'm sure you all know, it is more important to respect the law than to fix anything," he said in a sarcastic note.

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.

Contact Us

With over 25 years of brand awareness and credibility, Good Gear Guide (formerly PC World Australia), consistently delivers editorial excellence through award-winning content and trusted product reviews.